First to start with a definition of risk – Risk is a function of the probability that an identified threat will occur and then impact the mission or business objectives of an organization.
The kind of risks we deal with information assets are mostly those risks from which only loss can occur, which may be one of the reason why it’s hard for the security professionals to justify ROI for security controls. Comparatively business risks are attributed with either a profit or a loss. As we know, business folks make decision on risks on daily basis; it’s easier to make a decision for profit sake rather than on a loss. So increase risk to information asset will decrease the value of an asset or will harm the organization bottom line in some way.
To minimize the loss to an information asset, organization may decide to treat the higher risk assets which are above accepted risk threshold with following four ways:
1. Eliminate the risks
2. Reduce the risk to acceptable level
3. Accept the risk and live with it
4. Transfer by means of insurance
Risk Assessment Basic Steps for ISO 27001:
o Determine risk methodology and level of acceptable (residual) risk
o Identify assets and who owns them
o Identify the value of each asset
o Identify threats to each assets
o Identify vulnerabilities that each threat may exploit
o Estimate Likelihood of the threat exploiting vulnerability
o Finally determine risk the security of individual assets by combining impacts and likelihoods